sdbot.worm.gen

Viruses and worms
1

Hi,
pls could someone help me?
The antivirus detect sdbot.worm.gen.g but I’m not able to remove it.

Here are the Hj logfile:

Logfile of HijackThis v1.99.0
Scan saved at 14.35.28, on 29/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\Windows ServeAd\WinServAd.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\Programmi\Java\j2re1.4.2_06\bin\jusched.exe
C:\Programmi\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\Windows ServeAd\WinServSuit.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\McAfee\McAfee VirusScan\VsStat.exe
C:\Programmi\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Programmi\File comuni\Network Associates\McShield\Mcshield.exe
C:\Programmi\McAfee\McAfee VirusScan\Avconsol.exe
C:\Programmi\McAfee\McAfee VirusScan\Webscanx.exe
C:\WINDOWS\system32\wpabaln.exe
C:\Programmi\ISTsvc\istsvc.exe
C:\WINDOWS\luxaekum.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\Internet Optimizer\actalert.exe
C:\Programmi\BullsEye Network\bin\bargains.exe
c:\programmi\180solutions\sais.exe
C:\Programmi\Web_Rebates\WebRebates0.exe
C:\WINDOWS\explorer.exe
C:\Programmi\Web_Rebates\WebRebates1.exe
C:\WINDOWS\system32\spoolvs.exe
G:\removal tool\FixBadtr.exe
G:\removal tool\FixBlast.exe
G:\removal tool\FixCRed.exe
C:\ht\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.html?&account_id=135831
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.html?&account_id=135831
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=135831
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem302.dll
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Programmi\SideFind\sfbho.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\PROGRA~1\ISTbar\istbar.dll
O4 - HKLM..\Run: [Windows ServeAd] C:\Program Files\Windows ServeAd\WinServAd.exe
O4 - HKLM..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Programmi\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM..\Run: [start extracting] spoolvs.exe
O4 - HKLM..\Run: [Alogserv] C:\Programmi\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM..\Run: [IST Service] C:\Programmi\ISTsvc\istsvc.exe
O4 - HKLM..\Run: [Au7G] C:\WINDOWS\luxaekum.exe
O4 - HKLM..\Run: [Internet Optimizer] “C:\Program Files\Internet Optimizer\optimize.exe”
O4 - HKLM..\Run: [sais] c:\programmi\180solutions\sais.exe
O4 - HKLM..\Run: [BullsEye Network] C:\Programmi\BullsEye Network\bin\bargains.exe
O4 - HKLM..\Run: [Power Scan] C:\Programmi\Power Scan\powerscan.exe
O4 - HKLM..\Run: [xoxeh] C:\WINDOWS\xoxeh.exe
O4 - HKLM..\Run: [WebRebates0] “C:\Programmi\Web_Rebates\WebRebates0.exe”
O4 - HKLM..\RunServices: [start extracting] spoolvs.exe
O4 - HKLM..\RunOnce: [djtopr1150.exe] “C:\DOCUME~1\Aurelia\IMPOST~1\Temp\djtopr1150.exe”
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [start extracting] spoolvs.exe
O4 - HKCU..\RunServices: [start extracting] spoolvs.exe
O8 - Extra context menu item: Web Rebates - file://C:\Programmi\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Programmi\SideFind\sidefind.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1104150831659
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O23 - Service: Gestione AVSync - Networks Associates Technologies, Inc. - C:\Programmi\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: McShield - Unknown - C:\Programmi\File comuni\Network Associates\McShield\Mcshield.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe

2

I strongly suggest you click on the link in my signature and follow the instructions in the malware removal section. Your system is loaded with malware!

And out of curiosity. Why do you ask here for help while you are using McAfee and not Avast?

3

Until yesterday evening AVAST was running in the system, then this morning I tried with Norton, but the lonely who found something is McAfee.
According to youe experience why some Antivirus dosn’t detect all virus?

Thank you for your reply. We’re cleaning the pc in safe mode.

4

It is just impossible for a av company to hire the manpower to add every virus, trojan etc to the database. (and keep it up to date ofcourse)

Besides that, most people call something a virus while it isn’t.
See HERE for what a virus really is. (and other definitions)

I haven’t looked into detail at your log, but what I saw where mostly spy-/adware related and not viruses.

ps: I will post the result of my HJT log analyzer here a little later today.

5

CHECKING HIJACKTHIS, INTERNET EXPLORER, WINDOWS AND SOFTWARE FIREWALL:

You are using the latest version of HijackThis.
You are using the latest version of Internet Explorer.
No software firewall detected. If you are not using a
hardware firewall, it is highly recommended to install one.

THESE ITEMS ARE HARMFULL AND SHOULD BE FIXED/REMOVED :

\program files\windows servead\winservad.exe
\windows\system32\dslagent.exe
\program files\windows servead\winservsuit.exe
\programmi\istsvc\istsvc.exe
\windows\luxaekum.exe
\program files\internet optimizer\optimize.exe
\program files\internet optimizer\actalert.exe
\programmi\bullseye network\bin\bargains.exe
\programmi\180solutions\sais.exe
\programmi\web_rebates\webrebates0.exe
\programmi\web_rebates\webrebates1.exe
\windows\system32\spoolvs.exe
r1 - hkcu\software\microsoft\internet explorer\main,search bar = http://www.couldnotfind.com/search_page.html?&account_id=135831
r1 - hkcu\software\microsoft\internet explorer\main,search page = http://www.couldnotfind.com/search_page.html?&account_id=135831
r1 - hkcu\software\microsoft\internet explorer\search,searchassistant = http://www.couldnotfind.com/search_page.html?&account_id=135831
r3 - urlsearchhook: (no name) - _{cfbfae00-17a6-11d0-99cb-00c04fd64497} - (no file)
o2 - bho: adp urlcatcher class - {f4e04583-354e-4076-be7d-ed6a80fd66da} - c:\windows\system32\msbe.dll
o2 - bho: bhobj class - {00000010-6f7d-442c-93e3-4a4827c2e4c8} - c:\windows\nem220.dll
o2 - bho: bhobj class - {8f4e5661-f99e-4b3e-8d85-0ea71c0748e4} - c:\windows\wsem302.dll
o2 - bho: bahelper class - {a3fdd654-a057-4971-9844-4ed8e67dbbb8} - c:\programmi\sidefind\sfbho.dll
o2 - bho: adp urlcatcher class - {f4e04583-354e-4076-be7d-ed6a80fd66da} - c:\windows\system32\msbe.dll
o3 - toolbar: istbar - {5f1abcdb-a875-46c1-8345-b72a4567e486} - c:\progra~1\istbar\istbar.dll
o4 - hklm..\run: [windows servead] c:\program files\windows servead\winservad.exe
o4 - hklm..\run: [start extracting] spoolvs.exe
o4 - hklm..\run: [ist service] c:\programmi\istsvc\istsvc.exe
o4 - hklm..\run: [au7g] c:\windows\luxaekum.exe
o4 - hklm..\run: [sais] c:\programmi\180solutions\sais.exe
o4 - hklm..\run: [bullseye network] c:\programmi\bullseye network\bin\bargains.exe
o4 - hklm..\run: [power scan] c:\programmi\power scan\powerscan.exe
o4 - hklm..\run: [xoxeh] c:\windows\xoxeh.exe
o4 - hklm..\run: [webrebates0] “c:\programmi\web_rebates\webrebates0.exe”
o4 - hklm..\runservices: [start extracting] spoolvs.exe
o4 - hklm..\runonce: [djtopr1150.exe] “c:\docume~1\aurelia\impost~1\temp\djtopr1150.exe”
o4 - hkcu..\run: [start extracting] spoolvs.exe
o4 - hkcu..\runservices: [start extracting] spoolvs.exe
o8 - extra context menu item: web rebates - file://c:\programmi\web_rebates\sy1150\tp1150\scri1150a.htm
o9 - extra button: sidefind - {10e42047-deb9-4535-a118-b3f6ec39b807} - c:\programmi\sidefind\sidefind.dll
o16 - dpf: {386a771c-e96a-421f-8ba7-32f1b706892f} (installer class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
o16 - dpf: {6414512b-b978-451d-a0d8-fcfdf33e833c} (wuwebcontrol class) - http://v5.windowsupdate.microsoft.com/v5consumer/v5controls/en/x86/client/wuweb_site.cab?1104150831659
o16 - dpf: {74d05d43-3236-11d4-bdcd-00c04f9a3b61} (housecall control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
o16 - dpf: {9a9307a0-7da4-4daf-b042-5009f29e09e1} (activescan installer class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
o16 - dpf: {b38870e4-7ecb-40da-8c6a-595f0a5519ff} (msnmessengersetupdownloadcontrol class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
o23 - service: zesoft - unknown - c:\windows\zeta.exe

THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTIME FOR THE SYSTEM TO WORK PROPERLY:

o4 - hklm..\run: [sunjavaupdatesched] c:\programmi\java\j2re1.4.2_06\bin\jusched.exe
o4 - hklm..\run: [internet optimizer] “c:\program files\internet optimizer\optimize.exe”